                                   TEU - Docs

Short Description
Short Help
Startup Code
Program Termination
Generic Unpacking
Add Bytes
Subtract Bytes
Signature
PassiveX
DirectY
Save Delay
Command Line
Program Information
User Defined Code
Memory Save

------------------------------------------------------------------------------
Short description

TEU is an unpacker for executable DOS based programs. TEU is based on the fact
that executables, when packed or protected, always are unpacked in memory
before execution. This is the point where TEU takes control. It hooks some
interrupts, executes the victim and tries to detect the startup code of the
compiler which was used to build the victims code. When it has detected the
compiler, it knows where to get the information about the original file size,
program entry point and initial stack. The victim is saved to disk, then this
process is repeated in a different memory region. After that, the two memory
dumps are compared, the relocations are calculated and written to the new
generated executable.

------------------------------------------------------------------------------
Short help

When executed without parameters, TEU shows its short help screen:

syntax: TEU [option [...]] FILENAME.EXT [option [...]]
option:
  -X:xx[,yy[,..]]  don't test for startup code:
     BC   Borland/Turbo C    BP   Turbo Pascal 5-7    CL   Clipper
     HC   Metaware High C    LC   Lattice C           M2   Fitted Modula 2
     MB   MS Quick Basic     MC   MS C                MP   MS Quick Pascal
     PB   PowerBASIC         SC   Symantec C          TB   TurboBASIC
     T3   Turbo Pascal 3     T4   Turbo Pascal 4      WC   Watcom C

  -!      save code after program termination.
  -G      generic unpacker (for unkno -A:nn   add nn bytes to saved code.
  -S:nn   subtract nn bytes from saved code.
  -P:pk   add "pk" or "PK" signature (default=autodetect).
  -P-     prevent signature adding.
  -M:nn   use PassiveX(TM) code nn (nn=1..4)
  -N:nn   save code after nn calls to Int21h (AH=30h/35h).
  -C:bla  command line bla for FILENAME.EXT (last option in line).
  -Y      use DirectY(TM)-control.

******************************************************************************
  -I      Program Information
  -U:ff,ccddee[...] User Defined Code
  -1      save memory to mem1.dat
  -2      save memory to mem2.dat and use mkexe to make mem.exe
******************************************************************************

------------------------------------------------------------------------------
Startup Code

Today many protectors exist which use fake calls to Int21h to make unpackers
like INTRUDER, UPC or TEU think that the programs kernel is reached and can be
saved to disk. By using this option TEU will not look for the given compilers.

Syntax:
-X:xx[,yy[,..]]

Example:
TEU -x:BC,MC FILENAME.EXT
will ignore all codes looking like Borland-C and Microsoft-C startup code in
FILENAME.EXT.

------------------------------------------------------------------------------
Program Termination

Sometimes it is not possible to detect the startup code of a program because
it is changed by the protector. So you can use this option to let TEU detect
the compilers termination code. For example, XPACK by JMT changes the Borland
Pascal startup code in a way that TEU can't detect it.

Syntax:
-!

! The resulting CRACKED.EXE often will not run correctly !

------------------------------------------------------------------------------
Generic Unpacking

When this option is used, TEU looks for Int21h calls which do not relate with
any run time libraries known by TEU.

Syntax:
-G

! The resulting CRACKED.EXE often will not run correctly !

------------------------------------------------------------------------------
Add Bytes

If TEU miscalculates the size of the saved file, this option can be used to
overwrite TEUs calculation.

Syntax:
-A:nn

Example:
To save 10345 additional bytes after the code image, use
TEU -A:10345 FILENAME.EXT

------------------------------------------------------------------------------
Subtract Bytes

If TEU miscalculates the size of the saved file, this option can be used to
overwrite TEUs calculation.

Syntax:
-S:nn

Example:
To save 10345 less than TEU calculated, use
TEU -S:10345 FILENAME.EXT

------------------------------------------------------------------------------
Signature

Some packers (like PKLITE registered) add signatures to the FCBs. This enables
the protected program to check if the protection shell is already there. TEU
autodetects such signatures and saves them with the image. If TEU misses, this
option directs TEU to add the given signature to the saved image.

Syntax:
-P:pk or -P-

where
pk is 2 ASCII characters

Example:
To add a JV signature, use
TEU -P:JV FILENAME.EXT

To prevent TEU from adding any signature, use
TEU -P- FILENAME.EXT

------------------------------------------------------------------------------
PassiveX

This option is used to hide TEU from some protectors which search especially
for TEU in memory (like CrackStop, EXEL666, HackStop). The PassiveX level (nn)
defines location and level of mutation .

Syntax:
-M:nn

where
nn is a number from 1 to 4.

------------------------------------------------------------------------------
DirectY

At the moment, this option is only used to unpack programs protected with
ProtX310. This protector uses a shell which hides Int21h calls of the programs
runtime library, so the victim is unvisible to TEU without this option.

Syntax:
-Y

! Does not work on every machine !

------------------------------------------------------------------------------
Save Delay

Some protectors make fake calls to Int21h several times to irritate unpackers.
This option makes TEU ignore nn calls to Int21h and start at call nn+1 to look
for known startup code.

Syntax:
-N:nn

------------------------------------------------------------------------------
Command Line

Passes a command line to the victim. This option must be the last one in the
line, because TEU uses everything after -C: as command line for the victim.

Syntax:
-C:bla

Example:
To call FILENAME.EXT with the command line praise JVP, use
TEU FILENAME.EXT -c:praise JVP

------------------------------------------------------------------------------
User Defined Code

This option gives the user the possibility to unpack programs not known by TEU
If the given function of Int21h is called and the defined bytes follow the
call, then the size of the program is calculated and the code is saved to disk
The user has to search for the program entry point by himself.

To speed up searching for interesting functions and code fragments use
TEU-U.EXE.

Syntax:
-U:ff,ccddee[...]

where
ff  is the 2 digit function number of Int21h
ccddee  is the code following the Int21h call in hex (?? allowed for unknown
bytes)

Example:
To unpack a program containing the code

                            +-------+-----+-------+
                            | B4 09 | MOV | AH, 9 |
                            +-------+-----+-------+
                            | CD 21 | INT | 21h   |
                            +-------+-----+-------+
                            | 5A    | POP | DX    |
                            +-------+-----+-------+
                            | 58    | POP | AX    |
                            +-------+-----+-------+
call
TEU -U:09,5a58 FILENAME.EXT

------------------------------------------------------------------------------
Program Information

Shows internal information about TEU like date of compilation, status ...

Syntax:
-I

------------------------------------------------------------------------------
Memory Save

like TR command wexe1,wexe2 to save memory image

Syntax:
-1      save memory to mem1.dat
-2      save memory to mem2.dat

and use mkexe to make mem.exe

------------------------------------------------------------------------------
